What can be certified?

30 January 2025

Certification can apply to an individual's skills, be awarded to a training organization, or pertain to one or more personal data processing activities carried out by a data controller or processor.

This content is a courtesy translation of the original publication in French. In the event of any inconsistencies between the French version and this English translation, please note that the French version shall prevail.

What can be certified?

Before applying for certification, a company, administration, or association (etc.) must first define what it wants to certify; this is the object of the certification.

Example 1:

A bank offers its clients an online service that allows them to view and manage their accounts. It wishes to have this service certified. To that end, all data processing operations implemented within this service will be evaluated (for example, signing up for the service, using the website and mobile app by the user, data exchanges with the bank, account management processes, etc.).

Example 2:

An online retailer wants to certify only the authentication process that provides access to its service. In this case, only the authentication operations involved in the use of the website and mobile app will be evaluated. The certificate will be explicit about the object of the certification: “authentication process for the MyOnlineStore service,” and the company will ensure that all communications regarding this certification are clear on the specific object of the certification.

Example 3:

A furniture manufacturer uses a software for customer management. For this application, the small company has a license obtained from a software publisher. The publisher of this application can have their software (product) certified. In this case, the software’s features, methods used in its design, and user instructions will be object to evaluation. The certificate issued to the publisher will clarify that the object of the certification is this software. Notably, the small company using this software in this example cannot claim to have obtained certification for its customer management process unless it has indeed acquired certification for that process.

A wide variety of certifications is made possible by the GDPR and the French Data Protection Act. However, certification is only available when the object to be certified is admissible for one of the certification mechanisms approved by the CNIL or the European Data Protection Board (EDPB).

Specifically, the CNIL has approved two certification mechanisms, allowing for:

The certification of an individual's skills. Thus, any person may apply for certification of the DPO's skills and knowledge, as adopted by the CNIL.
The certification of a training process for personal data protection. Thus, any training organization may apply for certification as a provider of data protection training.

Note: Higher education institutions benefit from other recognition systems. For example, SupDPO offers a list of data protection-related courses provided by higher education institutions.

What guarantees does a certificate provide regarding a company's compliance with the GDPR?

The certificate issued by the certification body provides assurance that the company, administration, association, etc., that applied for certification has provided the evaluator with the necessary elements to demonstrate compliance with each criterion. These findings consist of documents as well as practices observed during the evaluation. They are recorded by the certification body in an evaluation report. Therefore, the certificate summarizes the result of this assessment with a written assurance that the certified object meets the certification criteria.

Certification serves as an element that can be used to demonstrate compliance with the GDPR for data processing associated with a product, service, process, or information system. Indeed, to carry out its evaluation, the certification body relies on criteria approved by the CNIL or the EDPB. These criteria are designed to provide guarantees that aim to demonstrate compliance with the GDPR and the French Data Protection Act.

However, certification does not exhaustively translate the obligations of the GDPR into criteria, notably to allow targeted evaluations that are accessible to micro, small, and medium-sized enterprises. The evaluation conducted only concerns data processing related to the object to be certified. Consequently, an organization to which a certification has been granted may still face sanctions from the CNIL for a breach of the GDPR or the French Data Protection Act. In this regard, Article 83 of the GDPR provides that certification may constitute an aggravating or mitigating circumstance duly considered when deciding whether to impose an administrative fine and determining its amount.

Is certification a mandatory administrative procedure?

No.

Certification is a voluntary process to obtain a trust seal.

For the organization submitting its processing for certification, it is beneficial in demonstrating, based on the evaluation carried out by a certification body, that the criteria approved by the CNIL (or EDPB) are respected.

For example, certification serves as a positive signal for individuals whose personal data is processed (clients, product users, employees subject to human resources processing, etc.). Certification also serves as an additional trust tool in the relationship between the data controller and the data processor, as it allows the latter to demonstrate the existence of sufficient guarantees in compliance with the requirements of Article 28.

It is only for certain categories of personal data processing that regulations may make certification mandatory.

Texte reference